- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Frequently Asked Questions
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard set by the five major payment brands and industry stakeholders to protect user data from exposure. It is a “self-regulating” industry standard, which means there are no governmental regulations covering compliance and enforcement is left to the individual payment brands. Any organization that deals with credit card information must take steps to protect this information as it is used, stored and transmitted. Organizations that suffer a breach and have not taken steps.
to ensure compliance can be penalized, and in some cases may even be prohibited from working with specific payment brands.
Recent changes in the PCI DSS regulation (v3.0 1 and v3.2) provide a set of suggested best practices and methodologies that make it possible to comply with PCI on an ongoing basis. These changes will have an impact on how organizations go about ensuring compliance. This solution brief looks at the requirements that apply to application security and discusses the issues that should be considered during the Software Development Lifecycle (SDLC).
Who has to comply with PCI DSS?
Perhaps a better question is “Who doesn’t have to comply?” The PCI DSS applies to every aspect of credit card processing.
Today, many companies with internal or public-facing websites fall under some section of the Payment Card Industry Data Security Standard. Any company that collects, stores or transmits credit card data is subject to PCI DSS. If any aspect of a business has anything to do with credit card processing, including but not limited to credit card terminals, credit card imprinters, mobile payment devices, online payments, paper forms, payment-enabled software or point of sale (POS) solutions, PCI DSS applies and it would need to be determined which standards apply. The regulations are especially applicable in certain high-profile industries such as healthcare, financial services, retail and service providers. PCI DSS regulations offer best practices and guidelines for compliance.
What are some principal issues for compliance in application security?
The recent enhancements to PCI DSS call for changes in the way organizations do secure in-house application development, and ensure the security of their internal and external applications.